SpringBoot Patch known Log4J RCE security vulnerability

See https://www.lunasec.io/docs/blog/log4j-zero-day/ and https://www.randori.com/blog/cve-2021-44228/.

Brief summary: a Remote Code Execution vulnerability was discovered yesterday in Log4J between versions 2.0 and 2.14.1 inclusive. This vulnerability was patched in the most recent release, 2.15.0.

I see that the Spring Boot Logging Starter has a dependency to org.apache.logging.log4j:log4j-to-slf4j, at version 2.14.1, a vulnerable version.

From what I can tell, log4j-to-slf4j is the only artifact of the group org.apache.logging.log4j to which Spring Boot has any dependency. I am unsure whether this artifact alone exposes this vulnerability, or if only the log4j-core artifact is vulnerable.

Raising this issue as a "better safe than sorry" measure, to discern if Spring is left vulnerable here, and patch to most recent version if so.

Comment From: wilkinsona

Duplicates https://github.com/spring-projects/spring-boot/issues/28978 and https://github.com/spring-projects/spring-boot/issues/28958. It is only the log4j-core artifact that is vulnerable.

Comment From: andersthorbeck

Ah, apologies, I see now that I only searched in open issues before I created this one, not also in closed issues. Thank you for your swift response!